Safety Report

Url Shorten

Name: Url Shorten
Author: Xejrax

@Xejrax

Shorten URLs via tinyurl or bitly API

1,188Downloads

0Installs

0Stars

1Versions

API Integration11,971

Security Analysis

high confidence

Suspicious

The skill is mostly coherent for URL shortening, but its runtime instructions reference an environment variable (BITLY_TOKEN) that is not declared in the registry metadata — this mismatch and the implied sending of user URLs to external shortening services are the main concerns.

Feb 11, 20261 files2 concerns

Purpose & Capabilityok

Name/description (shorten via tinyurl/bitly) aligns with the declared requirement for curl and the SKILL.md instructions. No unrelated binaries, installs, or capabilities are requested.

Instruction Scopeconcern

SKILL.md explicitly instructs the agent to use BITLY_TOKEN if set, falling back to tinyurl otherwise. The instructions do not direct the agent to read other system files, but they do rely on an environment variable that is not declared in the skill metadata, which is an inconsistency and a potential surprise at runtime.

Install Mechanismok

Instruction-only skill with no install steps and no code written to disk. Lowest-risk install posture.

Credentialsconcern

Requesting or using a BITLY_TOKEN would be proportional to the stated purpose, but the registry metadata lists no required env vars while SKILL.md references BITLY_TOKEN. The missing declaration reduces transparency about secret usage. Also, providing a token means the skill (when invoked) will send data to an external service, which has privacy implications.

Persistence & Privilegeok

Skill does not request always:true, does not modify agent/system config, and is user-invocable only. No elevated persistence or privileges are requested.

Guidance

This skill appears to do what it claims (shorten URLs) and has no install actions, but note two issues: (1) SKILL.md expects an environment variable named BITLY_TOKEN though the registry metadata does not declare it — the skill will read that env var if present, so only set it if you trust the skill and understand the token's permissions; (2) shortened URLs (and the original URLs you provide) will be transmitted to external services (tinyurl or bitly), so avoid shortening URLs that contain sensitive tokens, private paths, or personal data. If you need assurance, ask the author to update the registry to declare BITLY_TOKEN as an optional credential and to document which endpoints are used, or test with non-sensitive example URLs first.

Latest Release

v1.0.0

Initial publish

More by @Xejrax

File Search

8 stars

Pdf Extract

7 stars

Image Ocr

6 stars

System Info

3 stars

Media Player

2 stars

Docker Ctl

0 stars

Published by @Xejrax on ClawHub